Exadata Database Machine Security

Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.|

ExadataDatabaseMachineSecurity

DanNorrisMAATeam,OracleDevelopmentApril14,2016


MAAwithOracleEngineeredSystems(e.g.Exadata)FurtherReduceCost&ComplexityforanyServiceLevel

2

FastestRACNodeFailureRecovery|DeepASMMirroringIntegraBon|FastestBackup-RMANOffloadtoStorage|FastestDataGuardRedoApply|CompleteFailureTesBng

LocalstandbyforHigh-Availability

Failover

AcBveDataGuard

Onlinepatching,reconfiguraBon,

expansion

LAN WAN

Computeservers,DBservers,disks,flash,network,power

HardwareRedundancy

RAC,ASM,Flashback

SoOwareFaultTolerance

WithinExadata WithinaSite

RedundantSystemsRedundantDatabases

RemotestandbyforDisasterRecovery

AcrossSites

RedundantSystemsRedundantDatabases

DATA

BA

SE IN-M

EMO

RY

DATA

BA

SE IN-M

EMO

RY

DATA

BA

SE IN-M

EMO

RY


ProgramAgenda

PreparaRonforinstallaRon

InstallaRon,deployment

Post-deploymentconfiguraRon

DatabasecreaRonandconfiguraRon

OperaRonalsecurityconsideraRons

1

2

3

4

5

3


SecurityTerminology

• AXacksurface–thecodewithinacomputersystemthatcanberunbyunauthorizedusers• Port–networktermreferringtoavirtualendpoint•  Service–operaRngsystemtermreferringtoabackgroundprocessordaemon• CPU–CriRcalPatchUpdate,quarterlyreleasedsecuritypatchesforOracleproducts

GeWngusonthesamepage

4


PreparaRonforInstallaRon

• Geteducated• Collectsecurity-relatedrequirementsfromallstakeholders• Determinewhetherrole-separatedinstallaRonisrequired• Plannetworklayout•  Subscribetosecurityalerts-hXp://is.gd/orasec• ReviewMOSnote1068804.1:GuidelinesforenhancingthesecurityforanOracleDatabaseMachinedeployment• ReviewMOS1405320.1:ResponsestocommonExadatasecurityfindings

Securitystartsearly

5


PlanNetworkLayout

• ClientAccessisentrypointformostaccessesfromapplicaRons• Management(Admin)shouldberestricted•  InfiniBandisprivatetomachine,physicalsecurityprotectsit

Perimetersecurityfornetworks

6


InstallaRonandDeployment

•  Exadataincludesmanysecurityfeaturesbydefault

•  Implementtherecommendedsecuritystepduringdeployment– AKA“ResecureMachine”step

•  Startsecure,onlyopenwhatisnecessary– “Doingsecurity”lateralmostneverhappens(orworks)

• ConfigureASMauditstousesyslog(audit_syslog_level)• ConfigureASM&DBinit.ora:audit_sys_operaRons=true

Implementtheavailablefeaturesandsecurityplan

7


DefaultSecurityFeatures

•  shortpackageinstalllist• onlynecessaryservicesenabled• hXpsmanagementinterface•  sshdsecuredefaultsekngs• passwordaging• maximumfailedloginaXempts


8

•  auditdmonitoringenabled•  cellwall:iptablesfirewall• CPUsincludedinpatchbundles,releasessynchronized•  systemhardening• bootloaderpasswordprotecRon


ResecureMachineStep

•  Inthisstep,severalsecuritychangesaremade:– passwordcomplexityrequirementsareadded(passwdqc:dis,dis,16,12,8)– passwordsareexpired(forcingresetonnextlogin)– passwordagingimplemented– permissionsRghtened


9


ResecureMachineStep$ ./install.sh –cf maa-phys.xml -l

1. Validate Configuration File

2. Setup Required Files

<snip many steps>

17. Install Exachk

18. Create Installation Summary

19. Resecure Machine

10


ResecureMachineStep$ ./install.sh –cf maa-vm.xml -l

1. Validate Configuration File

2. Create Virtual Machine

3. Create Users

<snip many steps>

17. Create Installation Summary

18. Resecure Machine

11


Post-DeploymentConfiguraRon

• Changeallpasswordsforalldefaultaccounts(MOS1291766.1)• PerformvalidaRonforlocalpoliciesorrules– SeeMOS1405320.1forcommonlyidenRfiedauditfindings

•  ExadataSecurity–especiallyforconsolidaRonenvironments

Addresssite-specificrequirements

12



•  *New*in12.1.2.2.0• Cellscanhaveremoteaccessdisabled–nodirectSSHaccesstoOS• Mustenabletemporarilyformaintenance(upgrades)• NewcellaXributes:remoteAccessPerm,remoteAccessTemp• Cantemporarilyenableaccess,automaRclockupataspecifiedRme• CansRllaccessconsoleviaILOM• Useexacli/exadclifromDBnodesforcellcommands

CellLockdown

13



cellcli> create role administrator

cellcli> grant privilege all actions on all objects all attributes with all options to role administrator

cellcli> create user celladministrator password='*'

cellcli> grant role administrator to user celladministrator

CellLockdownSetup

14



# cellcli -e list cell detail | egrep -i 'cellversion|accesslevel'

accessLevelPerm: remoteLoginDisabled

cellVersion: OSS_12.1.2.2.0_LINUX.X64_150917

exacli> alter cell accessLevelTemp=((accessLevel="remoteLoginEnabled", -

startTime="now", -

duration="30m", -

reason="Quarterly maintenance"))

CellLockdown

15



• CellshavesyslogconfcellaXributes(forquiteawhile)• DBnodeshave/etc/rsyslog.conf– On12.1.2.1.0&later,alsohavesyslogconfdbserveraXribute

Centralizedsyslog

16



Onreceivingside,forrsyslogd,modify/etc/rsyslogd.conf:# Provides UDP syslog reception

$ModLoad imudp

$UDPServerRun 514

TheHUPrsyslogd:kill -HUP $(cat /var/run/syslogd.pid)

Centralizedsyslogsetup

17



cellcli> alter cell syslogconf=('authpriv.* @syslgsrv', 'security.* @seclogserver');

cellcli> alter cell validate syslogconf 'authpriv.error';

dbmcli> alter dbserver syslogconf=('authpriv.* @syslgsrv', 'security.* @seclogserver');

dbmcli> alter dbserver validate syslogconf 'authpriv.error';

Centralizedsyslog

18


ExadataSecurity(ASM,Griddisks)ConsolidaBon:sharingwithoutpeeking

19

• Privilegesongriddisklevel• Restrictgriddiskstocertainclustersand/orcertaindatabase(s)•  EspeciallyeffecRvetomanagemulRpleadministrators•  Seewhitepapers– OracleExadataDatabaseMachineConsolidaRon:SegregaRngDatabasesandRoles-hXp://is.gd/exaconsolidaRon– BestPracRcesforDatabaseConsolidaRonOnExadataDatabaseMachine-hXp://is.gd/orclconswp


DatabaseCreaRonandConfiguraRonImplementdatabase-specificfeaturesandbestpracBces

20

•  StaycurrentwithExadatabundlepatches(888828.1)– BundlepatchesincludelatestCPUpatches

• ConsiderTDE,networkencrypRon,DataVault,AuditVault• Reviewwhitepaper:“CostEffecRveSecurityandCompliancewithOracleDatabase11gRelease2”-hXp://is.gd/seccompliance11gr2•  TaketheEnterpriseDataSecurityAssessmentathXp://is.gd/entsecassessment


OracleDatabaseSecurityDefenseinDepth

Masking & Subsetting

DBA Controls & Cyber Security

Encryption & Redaction

PREVENTIVE

Activity Monitoring

Database Firewall

Auditing and Reporting

DETECTIVE ADMINISTRATIVE

Privilege & Data Discovery

Configuration Management

Key & Wallet Management

21


OperaRonalSecurityConsideraRonsRemainsecurity-mindedwhenpatching,upgrading,backingup

22

• ChangespermiXedonDBnodes,notcells• Backupscanbeencrypted• Patchingorupgradingmay“undo”somechanges;verifyaOer• DBnodeupdatesuseyumcommandswithexcludes(seedocforexcludes)


OperaRonalSecurityConsideraRonsRemainsecurity-mindedwhenpatching,upgrading,backingup

23

• PeriodicreviewstoensuresekngsremainandvulnerabiliResdon’t•  Secureeraseforstoragecellsisavailable• DiskdriveretenRonisavailable• OracleEnterpriseManagerGovernance,Risk&ComplianceManagerconRnuouslyreviewsthesystem


OperaRonalSecurityConsideraRonsUpdateJDKonDBnodes-arelaBvelycommonrequest(MOS2069987.1)

24

(root)# dbmcli -e alter dbserver shutdown services ms

Stopping MS services...

The SHUTDOWN of MS services was successful.

(root)# rpm -qa | grep jdk

jdk1.8.0_66-1.8.0_66-fcs.x86_64

(root)# rpm -Uvh /tmp/jdk-8u77-linux-x64.rpm

Preparing... ########################################### [100%]

1:jdk1.8.0_77 ########################################### [100%]

<output removed>


jdk1.8.0_66-1.8.0_66-fcs.x86_64

jdk1.8.0_77-1.8.0_77-fcs.x86_64

(root)#


OperaRonalSecurityConsideraRonsUpdateJDKonDBnodes-arelaBvelycommonrequest(MOS2069987.1)

25


jdk1.8.0_66-1.8.0_66-fcs.x86_64

jdk1.8.0_77-1.8.0_77-fcs.x86_64

(root)# rpm -e --nodeps jdk1.8.0_66-1.8.0_66-fcs.x86_64


jdk1.8.0_77-1.8.0_77-fcs.x86_64

(root)#

(root)# cd /opt/oracle/dbserver/dbms/deploy/scripts/unix/

(root)# sh setup_dynamicDeploy DB

<lots of output>

(root)# dbmcli -e alter dbserver startup services ms

Starting MS services...

The STARTUP of MS services was successful.

(root)#


OperaRonalSecurityConsideraRons

Component AccessRequired

Database–Patchset Databaseserverroot,soOwarehomeowner,passwordlessSSHtoallsoOwarehomeowners(onothernodes)

Database–BundlePatch Databaseserverroot,soOwarehomeowner

GridInfrastructure SameasDatabase

ExadataDatabaseServer(OS) Databaseserverroot,passwordlessSSHtodatabaseserverroot

ExadataStorageServer Databaseserverroot,passwordlessSSHfromdatabaseserverroottostorageserverroot(temporarilydisablelockdown)

InfiniBandSwitch Databaseserverroot,InfiniBandswitchpasswordlessSSHtoswitchroot

26

PatchingconsideraBons


LateBreakingSecurityUpdates

MOSNoteorURL DescripBon

2116547.1 DisableSSLv2onOracleExadataDatabaseMachine

2108582.1 glibcvulnerability(CVE-2015-7547)patchavailabilityforOracleExadataDatabaseMachine

hXp://badlock.org/ BadlockbugCVE-2016-2118-Exadataimagesnotaffected(imagesdon'tincludesambapackagesbydefault)

27


Summary

PreparaRonforinstallaRon

InstallaRon,deployment

Post-deploymentconfiguraRon

DatabasecreaRonandconfiguraRon

OperaRonalsecurityconsideraRons

1

2

3

4

5

28


ReferencesNoteorURL DescripBon

hXp://is.gd/orasec OracleSecurityAlertssubscripRon

1068804.1 GuidelinesforenhancingthesecurityforanOracleDatabaseMachinedeployment

1291766.1 HowtochangeOSuserpasswordforCellNode,DatabaseNode,ILOM,KVM,InfinibandSwitch,GigaBitEthernetSwitchandPDUonExadata

888828.1 ExadataDatabaseMachineandExadataStorageServerSupportedVersions

1405320.1 ResponsestocommonExadatasecurityscanfindings

hXp://is.gd/exaconsolidaRon OracleExadataDatabaseMachineConsolidaRon:SegregaRngDatabasesandRoles

hXp://is.gd/entsecassessment EnterpriseDataSecurityAssessment

29


References

MOSNoteorURL DescripBon

2069987.1 HOWTO:UpdateJDKonExadataDatabaseNodes

2075464.1 HOWTO:UpdateJDKonExadataStorageCellNodes

30


SafeHarborStatementTheprecedingisintendedtooutlineourgeneralproductdirecRon.ItisintendedforinformaRonpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfuncRonality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andRmingofanyfeaturesorfuncRonalitydescribedforOracle’sproductsremainsatthesolediscreRonofOracle.

31

Copyright©2016,Oracleand/oritsaffiliates.Allrightsreserved.| 32

Exadata Database Machine Security

Documents